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A file system for a portable data carrier (10) provides improved security for files which support multiple applica- 
tions, from custom repertory dialing to storage of individual medical and/or banking records. Although the portable data 
carrier looks and feels much like an ordinary credit card, it includes a computer (110) and an electrically erasable pro- 
grammable read-only memory (115). Power for operation of the portable data carrier is provided from an associated sta- 
tion (18) via a reader/writer (15); The reader/writer also couples data between the data carrier and the associated station. 
The applications reside in multiple files (42-48) in memory on the portable data carrier. Appropriate application software 
residing in the station, when accompanied by an appropriate password, enables the retrieval and modification of these 
files. A separate password is required for gaining access to each of designated levels of interaction between the portable 
data carrier and the associated station. Additional restrictions such as requiring an additional password for writting to a 
file and also allowing a user logged in at a particular security level to only append information to a file may be imposed in 
accordance with file security on the portable data carrier. And since each of the files may have its own security require- 
ments, multiple applications may exist on the portable data carrier without conflict or confusion. 
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SECURITY FILE SYSTEM FOR A PORTABLE DATA CARRIER 
Rfl.ck:yrQund of the Invention 

This invention relates to portable data carriers such as smart cards 
5 having electrical memories for storing data, and more particular to a system for 
securing the data contained in such portable data carriers. 
2. Description of the Prinr Art, 
The use of credit cards for purchases and for banking and other 
transactions has become so popular that most travelers today do so with very 
10 little cash. The card, typically made of plastic embossed with an account 
number and the name of the account owner, serves solely to identify an 
authorized account at a bank or credit house to be charged for a transaction. A 
magnetic stripe on the back of some cards contains the same information, but is 
machine*readable to speed the transaction. All accounting information is stored 
15 at the bank or credit house. 

In that transactions generally occur at a location remote from the bank 
or credit hoiise, it is easy for a person to use a misappropriated card, or for a 
legitimate owner to inadvertently exceed his credit limit. Most merchants, 
therefore, require that before purchases above a relatively modest amount such 
20 as $50.00 are completed, the authorization must be verified with the bank or 
credit house as appropriate. Even with automatic telephone dialing, the 
procedure is cumbersome and time-consuming. Furthermore, a separate card is 
needed for each account. 

With the advent of recent advances in microelectronics, however, it is 
25 now possible to put a vast amount of computing power and memory right in the 
card to produce a "smart card" or "portable data carrier". The card could carry 
the account numbers of all of the owner's charge accounts, the balances of all of 
the accounts, the credit limits of all of the accounts and be updated locally with 
each transaction. The card could also carry other such personal data as, for 
30 example, the sizes of family members for clothing purchases, personal telephone 
directories, etc. The types of personal data are limited only by one's 
imagination. 
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The technology for putting all of this on the standard size card is here. 
What still remains, however, is the problem of providing suitable security for 
the data on the card. Such rules of security require authentication procedures 
that virtually eliminate fraudulent use. 
5 SiiTTiTnarv of the Tnvention 

In accordance with the invention, a high security portable data carrier or 
smart card typically the size of a standard plastic credit card may be used in a 
variety of applications, from custom repertory dialing to storage of individual 
medical and/or banking records. Although the card looks and feels much like 

10 an ordinary credit card, it includes a computer, an electrically erasable 

programmable read-only memory (EEPROM), and also circuitry for receiving a 
combined power and timing signal from a card reader/writer optionally located 
with an associated station. These card components and circuitry also receive 
and transmit data signals between the card and, via the reader/writer, the 

15 associated station. 

A customer's personal information resides in multiple files in the 
EEPROM on the card. Appropriate application software residing in the station, 
when accompanied by an appropriate password, enables the retrieval and 
modification of these files. A separate password is required for gaining access to 

20 each of designated levels of interaction between tl^e card and the associated 
station. 

The card runs an executive operating system that is accessed from the 
station via a set of operating system command primitives. These command 
primitives manipulate the card file system in accordance with rules imposed to 

25 maintain card security. In so doing, direct access to the card file system and its 
commands are not allowed to the normal tiser. 

In order to provide security protection for the card file system and the 
card commands, and yet allow for fleability in handling different type of 
applications, the card employs six different security levels. These security levels 

30 enable the card to protect two types of resources: the card file system and the 
card commands. Access to these resources is a function of the authorized login ^ 
level, the command requested and the file to be accessed. Additional 
restrictions such as requiring an additional password for writing/reading to a file 
and also allowing a user logged in at a particular security level to only append 
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information to a file may be imposed in accordance with the rules of card file 
security. ^In addition, encryption of data as it is provided to the card from the 
station is also available for those very sensitive files or can be provided by the 
card. And since each of the files may have its own security requirements, 
5 multiple applications may exist on the card without conflict or confusion. 

Another aspect of file security is the locking of the card. The security 
levels available to the normal user will lock after a specified number of 
unsuccessful attempts to log in at each one of those levels. Any level above the 
locked level, however, is able to unlock the card at the lower locked level. This 
10 permits a dispersal of card maintenance to the level just above the locked level. 
Brief Degeription of the Drawings 

The invention and its mode of operation will be more clearly understood 
from the following detailed description when read with the appended drawing in 
which: 

15 FIG. 1 is a functional block representation of the major functional 

components of a portable data carrier system and their general interconnection 
with each other; 

FIG. 2'^is a table showing six security levels for which access is available 
to the portable data carrier employed in the system of FIG. 1; 
20 FIG. 3 illustrates the file system for data contained in the portable data 

carrier which is segmented into two regions, the header and the data segment; 

FIG. 4 illustrates the three sections of each file located in the data 
segment region of a portable data carrier system; 

FIG. 5 illustrates the hierarchical structure of the Normal Security Class 
25 Levels which employ an optional password per file and an append-only feature; 

FIG. 8 is a table showing command primitives used in communicating 
with the operating system on the portable data carrier; 

FIG. 7 depict a flow chart illustrating a login sequence which aids in 
preventing unauthorized access to the portable data carrier; 
30 FIG. 8 shows the software hierarchy of the portable data carrier system 

arranged for operation in the protocol employed in the system. 

FIG. 9 illustrates a message format suitable for use in communications 
between the major subsystems of the portable data carrier system; 
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FIG. 10 depicts a flow chart illustrating the link layer decision making 
process tpr operation of the application station in a half-duplex protocol; and 

FIG. 11 depicts a flow chart illustrating the link layer decision making 
process for operation of both the reader/writer and the portable data carrier in 

5 a half-duplex protocol. 

Throughout the drawings, the same elements when shown in more than 
one figure are designated by the same reference numerals. 
Detailed p«»«fription. 

With reference to FIG. 1, there is shown a portable data carrier (PDC) 
10 system which for ease of understanding may be divided into three subsystems. 
The first of these is a portable data carrier or card 10 which contains a memory 
capable of storing and updating information for a user. The second subsystem is 
a card reader/writer 15 which links the card with a station 18, the third 
subsystem. This last subsystem is a suitably configured application station 
15 which comprises a computer or dedicated workstation that runs application 
software necessary for accessing the memory in the card. The application 
software resides in the station and enables the retrieval and modification of 
information stored in the memory of the card 10. 

The card 10 runs an executive operating system that is accessed via a set 
20 of operating system command primitives. These command primitives 

manipulate a file system on the card in accordance with rules required by card 
security. 

Some of the principle components located in the card 10 are a 
microcomputer 110, an electrical erasable programmable read-only memory 

25 (EEPROM) 115, an analog interface circuit 130, the secondary winding 121 of a 
transformer 120, and capacitive plates 125 through 128. 

The microcomputer 110 includes a central processing unit and memory 
units in the form of random-access memory and read-only memory. Operating 
under firmware control provided by its internal read-only memory, the 

30 microcomputer 110 formats data that is transferred directly to the 

EEPROM 115 and via the reader/writer 15 to the station 18. The entire ^ 
EEPROM or a portion of it may be an Integral part of the microcomputer, or it 
may be a separate element. The microcomputer 110 also interprets the 
command primitives from the station 18 received through the reader/wnter 15. 



wo 87/07061 



- 5 - 



PCT/US87/009U 



By employing EEPROM 115 in the card 10, an authorized user has the 
ability to reprogram certain application files in the memory section of the card 
while at an authorized associated application station with new and different 
data as desired. EEPROMS are available from a number of suppliers, many of 
5 whom are mentioned in an article entitled "Are EEPROMS Finally Ready To 
Take Off?" by J. Robert Lineback, Electronics, Vol. 59, No. 7, (February 17, 
1986), pp. 40-41. Data may be written to and read or erased from an EEPROM 
repeatedly while operating power is being applied. When operating power is 
removed, any changes made to the data in the EEPROM remain and are 

10 retrievable whenever the card 10 is again powered. 

The analog interface circuit 130 provides a means for interfacing the 
memory card 10 to the reader/writer 15. This interface performs a multitude of 
functions including providing operating power from magnetic energy coupled 
from the reader/writer 15 to the card 10, and also coupling data between the 

15 reader/writer 15 and the microcomputer 110 in the card 10. Power for 
operating the card 10 b provided to the analog interface circuit 130 via an 
inductive interface provided by the secondary winding 121 of a transformer 120. 
This transfoftner is formed when this secondary winding in the card 10 Is mated 
to a primary winding 122 in the reader/writer 15. The station 18 provides the 

20 source of power for operation of both the reader/writer 15 and the card 10. 

The transformer 120 may advantageously include a ferrite core 123 in the 
reader/writer for increased coupling between the transformer primary winding 
122 and secondary winding 121. A second such core 124 may also be included in 
the transformer 120 and associated with the secondary winding 121 in the card 

25 for a further increase in coupling efficiency. In those arrangements where ample 
power is available and efficiency is not a consideration, one or both of these 
cores may be omitted. 

Data reception to and transmission from the card 10 are provided by a 
capacitive interface connected to the analog interface 130. This capacitive 

30 interface comprises four capacitors formed when electrodes or plates 125 

through 128 on the card 10 are mated with corresponding electrodes or plates 
155 through 158 in the reader/writer 15. Two of these capacitors are used to 
transfer data to the card 10 from the reader/writer 15 and the remaining two 
are used to transfer data to the reader/writer 15 from the card 10. The 
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combination of the inductive interface and the capacitive interface provides the 
complete communication interface between the reader/writer 15 and the 
memory card 10. 

The organization of some of the components in the reader/writer 15 
5 functionally mirror those in the card 10. Such components are, for example, an 
analog interface circuit 140 and a microcomputer 150. In addition, the 
reader/writer 15 also includes a power supply 162 and an input/output 
interface 160. The power supply 162 is used to provide power and also to couple 
a clock signal from the reader/writer 15 to the card 10 through the 

10 transformer 120. The input/output interface 160 is principally a universal 

asynchronous receiver transmitter (UART) and may be advantageously included 
in the microcomputer 150. This UART communicates with the application 
station 18, which could be an office editing station, factory editing station, 
issuer editing station, public telephone station or other suitably configured 

15 station. 

The security concerns for the PDC system is divided into two broad 
areas. The first area is directed to aspects of identification and authentication, 
to insure that the station is both (1) communicating with an authentic card and 
(2) communicating with an authentic application file on the card. Tke second 

20 area is directed to controlling access to files on the^card and limiting the 

exercise of card commands by an application at the station, an application being 
an account, or the like, which accesses specific data in a file on the card. 

Without a suitable authentication procedure, those with the intent of 
defrauding the system might be able to simulate the protocol at the station 

25 thereby gaining information about the PDC system. 

A method of insuring that the station is communicating with an 
authentic file on an authentic card is achieved by assigning each card a unique 
serial number and using this number^ or subset thereof, along with a concealed 
application password residing in the station. These numbers are manipulated 

30 algorithmically to produce an authentication code which is stored in the 
application file on the card at the time of creation. During subsequent 
transactions, this code must be favorably compared to a similar code generated 
independently by the station. 
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m order to provide security protection for the c.rd file system «d the 

Tnt'T^t' ""'^'"'^ " ^iffererty^es of 

apphcatioM, the card employs six different security levels The,. . , 

enable the card to p„tect two types of resources: I tr. mZZZT 
S card commands. Access to any of these resource. Is a function oTtrjh Jil 
logm level, the command requested, the file to be accessed and such ^d v , 
restrictions as are imposed by the owner of the card ""^ 

The fl^tt"'^* '° ™ - «curity levels 

10 ^a I rri rr;rbi,r ^ ^--^'^ 

lor use m a public environment. The first and lowest level In 
h.«rch.ca. security level Is a PI;BUC lo^n level for genera, inform tTon and 

id««fic' 7"'" -formation and insu^cT 

den^ficafon number or library card information are example, of pub^data 

15 T '° " When the card i, biHaU "d 

15 on pow^up or reeet a. a ,eatlon, it comes up at the PUBLIC login 1 v^ 

The second level i, the USER level and require, a user's password for 

, ""^ '"-^ level The 

^rd level 1, the SUB ISSUER level which abo require, a passw^J^ 

20 ISSUER "^f r" " «"» MAST^ 

-su laauiiR or the owner of the card. 

The fourth level of security is that retained by the MASTER r<?C!Tnri> r 
.3.t this level that the card is formatted and f.n. wMch i^is^d 
example of how these levels may be utilized is as follnw,. . k T 

-r"-^'"--- Th^bra^^rns^rusTori;"! 

wlTtbt I"^ » »» 0-rd and only pe,«,ns or programs 

w,th the proper credentials for a particular fUe may acce« that file at an 
30 appropriate application station. "le at an 

The two top security levels, DEVELOPER and SUPER USER are placed 

'LI^'Tt ""f " '^'^'^ - comm^^ That 

are not available to the level, in the Normal Security CIsss category. 
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The fifth level or SUPER USER level Is the factory «hlch Is responsible 
for ooJtruction, testing, and initializes blank cards in such a «ay that secunty 
• f„iiuated and misappropriated blank cards may not be used. 
'"TaUyte sixth ani highest level : the developer level of the card. Both 
, SUPER USER and DEVELOPER security level, are capable of accessmg the 
' IreTIfertfof the card file system including the card system header, to be 

: 'rsz:^ tj^zzx:z:zz. th. card re^m^s a 

r « h by means of a password before access to files other than 

'"-^ ^rrr- . sho^n the c^d fi,e system «h-.ch U 

se^enul l t,o regions, the header which the admlnistrat.on porfon and 

.0 numherthepUordsfor..h.^^^^^^^^^ 

'Tr' tlT'rbas. and memory size in kilobytes o, 

n^ROml^eraccess to the header section . a^^^^^^ 

^ "'xrd^t »Cnt 30 of the card is divided into fixed records whose 

25 ine aaia ses actpt? ISSUER. Each utilized record 31, 

°' ""^rra^^^ula: r^tS^n of th, appropriate file is 
r^^r.:^" ord ^Mch . assigned that me. identification 



number 

30 



liv no file Directory and there are no pointers between the 

The card has no file contiguov 
different records of the same file. File ^ata^a ^^^^^^ 

records but by linear order. The ^P-^^.^ ^ ^^^^^^^^^^ ZeV.rst record 
■ ^KpFEPROM from the lowest to the highest address, ine 

belted™ P^ticular file Identification number is the first record .n that 
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file, and the la3t record located with that file's identification number is the last 
record in that file. The card operating system reads the records of a file as each 
record In the particular file is encountered. The maximum size and number of 
files permitted on the card is limited only by the size of the memory in the 
5 EEPROM. Station application software reading a file sees only a contiguous 
stream of bytes which is independent of the card internal file structure. 

Referring next to FIG. 4, there is shown in greater detail the three 
sections of each file in the data segment region of a card file system. A prefix 
section 41 which is located in the first record of each file contains the file 

10 identification number 42 and protection bytes 43, 44 and 45. The file 

identification number is a number between between 1 and hex FE, inclusive. 
Hex number 00 and hex number FF are reserved for respectively indicating an 
unused record and the end of available memory in the EEPROM. 

The protection bytes 43 through 45 specify the file permissions. The first 

15 byte 43 represents read permission designating the minimal level at which the 
file may be read, and the second byte 44 represents read/write permission 
designating the minimal level at which the file may be both read and written 
into. 

Thus read permission for a file is separable from read/write permission 
20 for a file. Different security levels may also be specified for the read verses the 
read/write access. For example, the read permission for a file may be at 
PUBLIC level allowing public access to public information, but the write 
permission could be specified at USER level which prohibits writing to the file 
without the user's consent. 
25 With reference briefly to FIG. 5, there is shown the hierarchical structure 

of the Normal Security Class levels which may employ optional passwords and 
an append-only feature. For increased flexibility in the use of the card, each file 
on the card may include in its protection bytes a requirement that an optional 
password be provided before allowing access to a particular file. This is in 
30 addition to the requirement that a user has to be at the required security level 
of the card's operating system for gaining access to a file protected to that level. 
Thus, by way of example, a file with read/write permissions for a user which 
includes an optional write password requires (1) logging into the card at user 
level and (2) opening the file in order to read it. To write to this file, however, 
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the user must (l) log into the card at user level and (2) open the file for 'write' 
by providing the optional password. This does not apply to a person logging in 
at a higher level than the access permissions of a file require. A person logging 
in at such a level may gain access to that file even though an optional password 
5 is required at the designated security level. 

The hierarchical structure of the Normal Security Class levels is such 
that the MASTER ISSUER is able to read and write to any file at and beneath 
it's level; the SUB ISSUER is able to read and write to any file at and beneath 
it's leveL Similarly, the card holder is able to read and write to any file at its 

10 level or the public leveL 

In an application where it is deemed appropriate, the protection byte 45 
in FIG. 4 may be set to implement an 'append-only' mode which permits the 
user to only add data to a file but not overwrite existing data. Records 
reflecting the appropriate application file are created for accepting this data as 

15 it is entered. Thus a file may be designated for read/append permission as well 
as read/write permission. 

An information section 46 of a file contains the actual data located in 
each record of that file. And a suffix section 47 with a number M in the last 
byte 48 of the last record N indicates the number of application data bytes in 

20 that last record. ^ 

The executive operating system on the card is accessed by the Normal 
Security Class levels through use of the commonly understood command 
primitives shown in FIG. 6. These command primitives control the security 
access for the card, file creation and access and also administrative and testing 

25 activities. Additional command primitives are available for the SUPER USER 
or DEVELOPER login levels. 

Operation of these command primitives may be illustrated through a 
description of the operation of the 'login' command. In order to log into the 
card, the user is required to specify a login level and a password. This password 

30 is checked internally by the card algorithmically against the appropriate 

password at the same login level in the card header. If a card user is attempting 
to gain access to a file with a login level lower than that required by the file, 
permission to open the file either for read or for read/write is denied. 
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The passwords for each security level are placed in the card header when 
the card is manufactured. The password command allows the user at a logged 
on security level to change the password of it's level or any level below it. Thus, 
if a password is lost or forgotten, it can be re-written by logging into the card at 
5 a higher security level and using the password command. In this way the lost 
password need not be recovered. 

The number of consecutive unsuccessful 'login' attempts per security 
level is limited to a specified number. When this number is exceeded the card 
can be configured either to lock at that security level, or to erase the database 
10 of the entire card. If the card is configured to lock, any level above the locked 
level is able to unlock it. This permits a dispersal of card maintenance to the 
lowest level possible above the locked level. The number of failures is recorded 
in the header portion of the EEPROM, in an appropriate "password failure 
counter". 

15 It is also possible to protect a file which requires an optional password. 

Files may be individually protected in the same manner as the card by setting a 
bit for erasing that file in the file protection bytes, if desired. Thus a person 
attempting to open a file which requires an optional password will only have a 
certain number of attempts before locking of the card or erasure of the data in 

20 that file occurs. 

Referring now to FIG. 7, there is shown a flow diagram of that part of 
the operating system on the card which aids in preventing unauthorized logins 
into the card. Each time a login command is accessed, the password failure 
counter is first updated to reflect a password failure. Next, the given password 

25 is checked against the password in the card header. If the proper password is 
given, the password counter is cleared. This feature prevents sophisticated 
brute force attacks on the password by equipment which could remove power 
from the card after unsuccessful login attempts but before the failure counter 
could be updated to reflect the failure. 

30 To aid in the development of application software, a high level software 

library has been created to support all interactions between the station and the 
reader/writer and also between the station and the card. As a result, an 
application programmer does not need to be concerned with the tedious details 
of the card internab or the communication protocol. His code interfaces 
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directly with the library and the library interfaces with the card. 

The library is divided into four sections: a card library section which 
provides for direct mapping of card commands such as those shown in FIG. 6, a 
reader/writer library section which provides for direct mapping of reader/writer 
5 commands, a compound library section which contains card and/or 

reader/writer commands, and finally a control section which contains common 
control functions located on the station. These functions include details of 
initialization, termination and control of ports and logical devices. This library 
thus functions as a software interface and provides a way to access devices and 
10 files that closely resembles typical computer protocols and eases the burden on 
the application programmer. 

Allocation of records, deallocation of records and garbage collection are 
provided for in the operating system of the card. When information is deleted 
from a file, the card returns any released records to the available pool of records 
IS and arranges in> linear order the utilized records by performing a garbage 

collection. Through this garbage collection, all unused records on the card are 
collected at the end of the card memory. Allocation of additional records, as 
required, is automatically performed when a write goes beyond the last record of 
a file. By always maintaining the available records at the end of the card, new 
20 records for a file are always allocated past the previous end of the file thereby 
maintaining the linear order of the records of each file. 

Information as to the allocation and deallocation of records is not 
available to the application at the station. Security is enhanced since the 
application merely sees contiguous data without any implementation details. 
25 Nor is direct access to the application files in raw format permitted to users 
having access to those commands found in the Normal Security Class level. 
Access to the entire card is permitted only to the users having access to the 
commands found in the Extended Security Class level to insure tight security 
during card production and testing. 
30 Referring now to FIG. 8, there is shown the software hierarchy arranged 

for operation in the communications protocol of the PDC system. An 
application layer 181 within the station 18 interfaces with the card 10 and also 
with the user at a terminal 187 through a terminal interface 182 or to an 
optional database through a database interface 184. To simplify access to the 
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card 10, the applicatioa layer 180 interfaces with the library layer 185 discussed 
herein abpve. This in turn interfaces with the link layer 186 which handles the 
actual transactions with the reader/writer 15 and the card 10, 

Although the station 18 is connected through a serial port to the 
5 reader/writer 15, it communicates directly with the card 10 as well as with the 
reader/writer 15. Every message which is intended for the card 10 is therefore 
transparently forwarded through the reader/writer 15 to the card 10* The 
destination address is found in the preamble section of the message. A message 
format suitable for use in the present invention is shown in FIG. 9 and 

10 described in greater detail later herein. 

The reader/writer 15 and the card 10 both implement the same half- 
duplex communication protocol with the station at the data link layer 186. The 
card 10 is fully passive and not able to initiate any transaction with the station 
18. The reader/writer 15 differs, in one aspect, in that it Is able to signal 

15 'attention' to the station via a carrier detect lead in the serial port connecting 
the two. The station 18 responds to the 'attention' signal after completing any 
present transaction in which it is then involved. The station next interrogates 
the reader/writer 15 to determine the reason for the 'attention' signal. An 
example of when the reader/writer 15 would provide such an attention signal is 

20 when the card 10 b inserted in an accommodating slot (not shown) on the 
reader/writer 15 and in position for communicating with the station 18. A 
second example would be when the card 10 is removed from slot in the 
reader/writer 15. 

The reader/writer has two layers, a link layer 151 and a command layer 
25 152* The link layer 151 acts as the transparent medium between the station 18 
and card 10 passing commands or responses therebetween. The link layer 151 
in the reader/writer 15 also provides buffering and baud rate conversion, as 
necessary. The transmission rate between the card 10 and the reader/writer 15 
is maintained at 19200 baud. If the baud rate between the station 13 and the 
30 reader/writer 15 is slower than the baud rate between the reader/writer 15 and 
the card 10, the reader/writer 15 provides the baud rate conversion and buffers 
the message such that it is sent to the card as a block of contiguous data. The 
second layer in the reader/writer is the command layer. This layer is in the 
reader/writer for responding to those commands specifically addressed to the 
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reader/writer from the station 18. 

Data in the protocol is sent over the communication link in a serial 
manner, character by character. A character is framed with one start bit and 
one stop bit. Messages of contiguous blocks of characters are initiated at any 
5 time within the constraints of the half-duplex protocol. The station 18 and the 
reader/writer 15 or the card 10 exchange information in a predefined message 
packet. A packet contains control information as to where the data begins and 
ends in the packet and also contains information for checking the message data 
integrity. 

10 Referring now to FIG. 9 in greater detail, and in combination with 

FIG 8 there is shown a message format suitable for use in the present 
invention wherein the station 18 addresses the reader/writer 15 or the card 10. 
The message format consists of a preamble 91 for addressing the reader/writer 
15 or card 10 and a start-of-frame control sequence 92 for marking the 

15 beginning of the message (DLE SIX). Next in the message format is the link 
status 93 which contains information as to either acknowledgment (ACK) or 
negative acknowledgment (NAK) of the message transmitted, information as to 
whether an error occurred during transmission, and a sequence number (tag) of 
the current message. Every message is assigned a sequence number. A mcdulus 
20 8 scheme is employed in the message format using.the three least significant bits 

in the link status byte. . ^ . -..^j 

Next is the command and data field 94 which contains the transmitted 
data followed by an end-of-frame control sequence 95 marking the end of a 
message (DLE ETX). Finally a two byte checksum 96 is generated by applying 
■ 25 an algorithm described in an article entitled "Aa Arithmetic Checksum for 

Serial Transmissions," J. G. Fletcher, IEEE Transactions on Communications, 
Volume Com-30, Jan. 1982. pp. 247-252. 

A message packet response provided back to the station 18 from the 
reader/writer 15 or from the card 10 is identical to the -essage packet 
30 generated by the station. The message format depicted in FIG^9 is thus 

arplicabletLommunications between all of the sub-systems. The preamble of 

a message transmitted from the station 18 consists of 8 bytes. A message is 
considered received correctly by the station 18 if at least three of these 
o'ecutive preamble characters are detected by the sub-system to which it is 
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then attempting to communicate. 

To. initialize communication with either the reader/writer 15 or card 10, 
the station 18 sends a Mink reset' message. Communication fails if the station 
receives a NAK or a predetermined time expires before a response is received. 
5 Once communication with the reader/writer 15 is established, the 

reader/writer informs the station 18 when the card 10 is inserted or if the card 
is already present. After the card 10 is inserted, the reader/writer 15 signals 
'attention' to the station 18. When the station determines that the inserted 
card is a smart card rather than, for example, a card having only a magnetic 

10 stripe, the station sends a link reset message to the card to initialize it. Once 
initialized, the card awaits commands from the application layer 181 in the 
station 18. When a request is received, it is processed by a command layer 101 
in the card 10 and a response is sent back to the station 18 while the card 10 
waits for the next command. The station 18 can arbitrarily choose which 

15 subsystem to address and what message to send, i. e. either link reset or a 
command. 

FIG. 10 is a flow chart illustrating the link layer decision making process 
for the station 18. In communicating with the reader/writer 15 or the card 10 
during a normal transaction, the station 18 sends a message and sets up a timer. 

20 Next, the station either receives a response from the subsystem it is then 

attempting to communicate with or the timer expires. If the link status byte in 
the message response to the station contains an ACK, this reflects that the 
transaction has been completed successfully and the tag value is incremented to 
modulus 8. The response is then provided to the application layer 181 in the 

25 station 18. 

If a negative acknowledge or NAK is received, at least two more link 
retries are attempted and the tag value stays the same. The station does not 
ask for a retransmission, rather it transmits the last command. If an 
acknowledge or ACK is not received after three tries, link level error recovery is 
30 initiated. 

FIG. 11 is a flow chart illustrating the link layer decision making process 
for both the reader/writer 15 and the card 10. Referring to both FIG. 8 and 
FIG. 10, in communicating back to the station during a normal transaction, the 
reader/writer 15 or the card 10 observes the tag for each message it receives to 
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decide if the current request is a new transaction, or a retransmit request for the 
previous pne. If the current tag value is different from the tag value of the 
previous transaction then the incoming message is treated as a new transaction. 
If the current tag value equals the previous tag value then a retransmission is 
5 being requested by the station 18. The reader/writer 15 or card 10 always 
responds with the tag associated with the last valid command it has processed. 
Thus if a present transmission fails i.e. 'bad message' the link layer responds 
with negative acknowledge (NAK) and the last valid tag. A 'null' command 
causes the reader/writer 15 or card 10 to reset it's sequencing tag to the tag It 

10 receives. On reset, the reader/writer 15 or card 10 initiates the tag to an invalid 
value to insure that the incoming message is treated as a new one. 

Termination of a session with a card 10 may be initiated by the station 
18 requesting the reader/writer 15 to turn off power to the card 10 or by the 
user pulling out the card 10. In the latter case, the reader/writer 15 

15 automatically stops powering the empty card slot and signals 'attention' to the 
station. 18. The station then sends a 'status request' command to the 
reader/writer IS. In response, the reader/writer 15 notifies the station 18 that 
the card 10 has been pulled out and the link layer reports communication errors 
to the application layer after the three unsuccessful attempts to communicate 

20 with the card 10. This is necessary since only the application layer can declare 
the reader/writer as inactive. 
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1. la a portable data carrier (10), a security file system 
CHARACTERIZED BY 

comprising both a file header region (35) and a file data segment region 
5 (30), the file header region containing a first password for verifying the identity 
of an individual attempting to access the data in the portable data carrier, and 
the file data segment region containing a plurality of files (41-48) for storing 
alterable data, access to each file in the file data segment region for a desired 
transaction being controlled by a second password assigned to an individual 
10 authorized to conduct transactions within the portable data carrier. 

2. The security file system of claim 1 wherein each file in the portable 
data carrier includes files permission (43-45) information for defining the type of 
access permitted to an individual. 

3. The security file system of claim 2 wherein the file permission 
15 information in the portable data carrier includes read permission, write 

permission and append permission, a first file (43) having read permission 
allowing an individual to only read data therein, a second file (44) having write 
permission allowing an individual to read data therein and write data thereto, 
and a third file (45) having read and append permission allowing an individual 
20 to only read data therein and append data thereto. 

4. The secTirity file system of claim 3 further including multiple security 
levels hierarchically arranged in a manner to comprise a least secure level, a 
most secure level and multiple other security levels interposed therebetween, 
access to each security level being controlled by a corresponding password 

25 assigned only to an individual authorized to access the data at that security 
level. 

5. The security file system of claim 4 wherein the file permission 
information is assignable according to security level, a first higher order security 
level having permission to read data in and write data to the second file and a 

30 second lower security level having permission to only read data in the second 
file. 

6. The security file system of claim 4 wherein the file permission 
information is assignable according to security level, a first higher order security 
level having permission to read data in and write data to the second file and a 
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second lower security level having permission to only read data in and append 
to the data in the second file. 

7. The security file system of claim 4, further including data and a 
unique access code for verifying the identity of an individual attempting to 

5 access the data in the portable data carrier, the security file system comprising: 
counting means for recording all access attempts, the counting means 
advancing a count each time a code is externally provided to the portable data 
carrier; 

verifying means for providing an indication when the externally provided 
10 code compares favorably with the code stored in the portable data carrier; 

counting reset means for resetting the count advanced by the counting 
means to its previous count, the counting reset means being activated in 
response to the verifying means indicating a favorable comparison and data 
access is permitted, the counting reset means remaining inactive in the absence 
15 of the verifying means indicating a favorable comparison, 

8. The security file system of claim 7 wherein the counting means counts 
to a predetermined number and upon reaching this number erases all data from 

the portable data carrier. 

9. The security file system of claim 7 wherein the counting means counts 
20 to a predetermined number and upon reaching thisoiumber locks thereby 

preventing further access attempts. 

10. The security file system of claim 9 wherein the hierarchically arranged 
multiple* security levels allows an authorized individual to obtain access to the 
data in the portable data carrier at a higher security level than a locked security 

25 level, and the higher security level in the portable data carrier being able to 
unlock the pori:able data carrier at the locked security level. 

11. The security file system of claim 4 further including multiple files and 
wherein each file therein contains data and has a unique access code associated 
therewith for verifying the identity of an individual attempting to access the 

30 data in that pariiicular file, the security file system comprising: 

counting means for recording all access attempts, the counting means 
advancing a count each time a code is externally provided to the portable data 
carrier; 
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verifying means for providing an indication when the externally provided 
code compares favorably with the code stored in the security file system; 

counting reset means for resetting the count advanced by the counting 
means to its previous count, the counting reset means being activated in 
5 response to the verifying means indicating a favorable comparison and data 
access is permitted, the counting reset means remaining inactive in the absence 
of the verifying means indicating a favorable comparison, 

12. The security file system of claim 11 wherein the counting means 
counts to a predetermined number and upon reaching this number erases all 

10 data from the file to which access is then being attempted. 

13. The security file system of claim 11 wherein the counting means 
counts to a predetermined number and upon reaching this number locks the file 
to which access is then being attempted. 
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